Please note that this article has been updated 19 May 2018. We have still not received any formal clarification on the matter. Therefore, we have added further instructions at the end of this article under 'I have previously had the 'marketing' checkbox pre-ticked. What should I do now?' and in Ready for 25 May 2018 (GDPR enforcement date)? A Cookiebot checklist.
In addition, we have implemented an easy way for you to renew your existing user consents with minimal disturbance to your users. This can be done after you have made any necessary changes. Please see: Renew existing user consents.
Cookiebot is providing Privacy by Design
It is important to understand that when correctly implemented, Cookiebot provides Privacy by Design – a cornerstone in the GDPR legislation and mindset. Even if the checkboxes are pre-checked, they are not pre-enabled. It is only when a website user submits a consent that the state of the checkboxes will apply, thus still giving the users a transparent and genuine choice, as required under GDPR.
What does the GDPR say about checkboxes?
GDPR Recital 32 states the following (our emphasis):
"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."
What are you doing to clarify this matter and what should I do on my website?
We have reached out to the Article 29 Data Protection Working Party for a clarification on how this will be interpreted under GDPR after 25 May 2018. We are still awaiting their answer and will inform all registered Cookiebot users when we receive a reply. We have also reached out to other relevant institutions to push for clarification. In addition, the lawyers of some of our large enterprise customers are also reaching out to relevant parties in search of clarification.
In the meantime, you can easily choose whether you would like the checkboxes in your cookie consent banner to be pre-ticked or not:
- Log in to your account https://manage.cookiebot.com/goto/login
- Go to the menu point ‘Settings’ and the tab ‘Dialog’
- Choose a banner type from the ‘Type’ drop-down. If you choose ‘Multilevel’ or ‘Inline multilevel’, you can choose the default mode of the 3 categories/checkboxes (necessary cookies are by default pre-checked as they are necessary for your website to function)
- Save your settings (tick mark in the blue bar on the left-hand side)
Why does the cookie consent banner on www.cookiebot.com have 3 out of the 4 categories pre-ticked?
We have chosen to pre-tick the ‘preferences’ and ‘statistics’ checkboxes in our own banner (but not the ‘marketing’ category). The user can easily change this prior to clicking ‘ok’ and giving consent.
We do so because we are not making use of any cookies or trackers that contain personal data in those two categories. Therefore, they do not fall under GDPR. It is also compliant with the ePrivacy Directive which does not set out restrictions on whether boxes are pre-ticked.
Whether this applies also to your website depends on whether you have correctly anonymized your statistics data and on what other cookies are in use on your website in those categories. Therefore, do check your own website before applying our banner settings to your own banner.
UPDATED: I have previously had the ‘marketing’ checkbox pre-ticked. What should I do now?
The Article 29 Data Protection Working Party (WP29) has recently finalized and issued an updated Guidelines on consent under Regulation 2016/679 (wp259rev.01). In these guidelines they clearly state that the use of pre-ticked checkboxes (for cookie categories containing personal data) is not allowed under GDPR. They also state that consents obtained prior to 25 May 2018 by the use of pre-ticked checkboxes will not be valid after 25 May 2018. While we still believe that the Cookiebot solution – when implemented correctly – provides the required Privacy by Design, as long as we have no formal clarification, we do not want to run any unnecessary risks and especially not on your behalf.
Therefore, if you have previously used a cookie consent banner where the checkbox for ‘marketing cookies’ has been pre-ticked, it is advisable to un-tick the checkbox in order not to risk being non-compliant after 25 May 2018. See instructions above for how to make the ‘marketing’ category un-ticked by default.
If you know that personal data is also being processed in the other categories – for example if you have not anonymized your statistics cookies – then you should also un-tick that/those categories. Most often personal data is not processed in the statistics category and rarely, if ever, in the preferences category.
Please note that if you decide to make this change, it will be effective from now and going forward. It is important that you un-tick the marketing checkbox before 25 May 2018. When you have made any changes – if necessary – please see Renew existing user consents for how to renew your existing user consents that have been obtained via the previously used cookie consent banner. You may also check Ready for 25 May 2018 (GDPR enforcement date)? A Cookiebot checklist. and What type of cookie consent banner should I use (to be GDPR compliant)? to check if you need to make any other changes before renewing your user consents.
Last updated: 19 May 2018
Comments
4 comments
If we keep using necessary cookies even without an explicit consent, just like you do, are we GDPR-compliant or not?
"We have reached out to the Article 29 Data Protection Working Party for a clarification on how this will be interpreted under GDPR after 25 May 2018. We are still awaiting their answer and will inform all registered Cookiebot users when we receive a reply. We have also reached out to other relevant institutions to push for clarification. In addition, the lawyers of some of our large enterprise customers are also reaching out to relevant parties in search of clarification."
Any news regarding this matter?
Thank you for your time and effort to seek clarification.
As of 09 August 2019, the UK Information Commissioner (ICO.org.uk) is explicit that pre-ticked cookie boxes as in your banner are not compliant with UK regulations (PECR) which are the relevant part of the rules for this. That applies even if a separate "OK" button needs to be clicked, as the pre-ticking and absence of an explicit rejection counts as "nudging" or pressuring people into proceeding. That does not meet the consent requirements of the GDPR.
Can you comment on this please?
PS: I am considering using Cookiebot but until you convince me on this, I cannot accept that you are compliant in other respects.
PPS: I would agree that the requirements for cookie consent and GDPR are a total mess with a high proportion of large companies not properly meeting them.
See the updated part of the article.
The Article 29 Data Protection Working Party (WP29) has recently finalized and issued an updated Guidelines on consent under Regulation 2016/679 (wp259rev.01). In these guidelines they clearly state that the use of pre-ticked checkboxes (for cookie categories containing personal data) is not allowed under GDPR. They also state that consents obtained prior to 25 May 2018 by the use of pre-ticked checkboxes will not be valid after 25 May 2018. While we still believe that the Cookiebot solution – when implemented correctly – provides the required Privacy by Design, as long as we have no formal clarification, we do not want to run any unnecessary risks and especially not on your behalf.
Please sign in to leave a comment.